Boards and CISOs are struggling to communicate cyber risk effectively. Instead of relying on more data and controls, CISOs should adopt proven risk management approaches from other industries, such as aviation, public health, and urban planning. By using these frameworks, CISOs can help boards understand cyber risk better and make informed decisions about security investments and strategies.
AWS CISO Amy Herzog discusses enhancing cybersecurity using AI, emphasizing specificity in AI roles and the need for realistic expectations about security effectiveness. She encourages businesses to focus on risk measurement and adaptability, rather than just scanning outputs. The new AWS security agent aims to proactively prevent issues, reinforcing that 100% security is unrealistic; instead, achieving a balance of functionality and control is key as threats evolve.
Security professionals are increasingly concerned about attacks exploiting third-party software dependencies, particularly those using open-source code. The 2025 State of Application Security report highlights the growing risk of such attacks, with 56% of respondents believing their organizations are at greater risk than a year ago. The report also reveals challenges in securing applications, including the use of open-source code, container vulnerabilities, and a shortage of skilled application security practitioners.
DOD initiates Cybersecurity Risk Management Construct (CSRMC) to enhance cybersecurity using dynamic, automated processes, replacing outdated static checklists. The phased approach promises proactive security management and emphasizes collaboration among cyber operators while enabling real-time defense against emerging threats.
https://fedtechmagazine.com/article/2025/12/what-dods-cybersecurity-risk-management-construct
Key Points:
CISO role & business alignment: CISOs are often misunderstood and underpowered; success hinges on relationships and explaining cyber risk in revenue, operations, and trust terms.
Risk framing & CEO communication: CISOs must translate vulnerabilities into business impact, answer “Are we secure?” candidly but constructively, and help CEOs look informed and prepared.
Industry vs. business problems: Some issues (e.g., 2038 bug, protocol flaws) are industry-wide; they require collaboration through associations and better vendor listening, not just regulation.
Ethical trade-offs & incident response: In a Black Friday scenario, panelists debated whether brief downtime or ongoing limited data theft is worse; the audience favored avoiding deliberate data exfiltration.
Talent, AI, and community: AI is seen as augmenting staff, not replacing them; keeping up with regulation and recruiting talent relies on networks, counsel, culture, and continuous learning.
CISOs in middle-market organizations must lead ethical AI adoption, balancing innovation and governance amid budget constraints. They face unique challenges, like algorithmic risks and compliance pressures, necessitating cost-effective frameworks and strategic partnerships. A roadmap for success includes assessing AI exposure, establishing robust policies, engaging leadership, and fostering a culture of collaboration, ensuring AI governance aligns with business values. By prioritizing ethical oversight, CISOs can drive innovation while building digital trust, setting the stage for sustainable growth in a rapidly evolving tech landscape.
CISOs' ownership of cyber risk is debated: while traditionally viewed as scapegoats, many argue they must assert responsibility. Discussions highlight the need for CISOs to align with business strategies and effectively communicate risk impacts to executives. Ultimately, risk is a shared responsibility across an organization, but CISOs should influence decisions and advocate for cybersecurity initiatives, despite potential limitations in authority. The role necessitates ongoing education of board members regarding cyber risks to enhance accountability and operational effectiveness.
https://cisoseries.com/how-much-cyber-risk-should-a-ciso-own/
Aisuru's DDoS Attack: Aisuru botnet executed a record 29.7 Tbps DDoS attack, demonstrating elevated attack capabilities exploiting vulnerable IoT devices. Its scale warns organizations of the rising threat posed by increasingly sophisticated threats. Even without direct targeting, businesses relying on cloud and APIs face risks. Effective security requires unified, AI-driven platforms for real-time detection and response across all layers. This incident underscores the urgency for improved defenses against large-scale cyber threats.
The article outlines crucial steps and questions for CISOs considering AI-powered security tools. Threats involving AI, like deepfakes and data leaks, are growing, making AI-driven defenses necessary. Organizations benefit from faster breach recovery and cost savings with AI, but also face risks from unmanaged shadow AI. Key uses of AI in security include threat detection, automated reporting, and alert management. CISOs should evaluate the organization’s risk tolerance, specific security needs, and regulatory environment, and consider whether to adopt platform-based or point solutions. When assessing vendors, focus on areas such as shadow AI identification, data protection, effectiveness metrics, workforce impact, tool integration, regulatory compliance, trust in AI decisions, scalability, vendor reliability, ongoing support, and total cost.
5 elements of a good cybersecurity risk assessment:
Utilizing diagrams throughout enhances clarity and decision-making effectiveness.
https://industrialcyber.co/expert/the-5-elements-of-a-good-cybersecurity-risk-assessment/
